{ "id": "9f39b3c7-67f0-428c-8f4f-45a95d918ed2", "created_at": "2026-04-06T00:18:46.061526Z", "updated_at": "2026-04-10T03:36:13.597048Z", "deleted_at": null, "sha1_hash": "0b4264f483705c0e46a03d2f0cfa8ba5f1cf426e", "title": "ALPHV ransomware gang analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 221974, "plain_text": "ALPHV ransomware gang analysis\r\nBy Intrinsec\r\nPublished: 2022-01-26 · Archived: 2026-04-05 14:58:47 UTC\r\n[et_pb_section][et_pb_row][et_pb_column type=”4_4″][et_pb_text]\r\nALPHV (or BlackCat or Noberus) ransomware emerged only last December and is already considered as a\r\ngenuine threat that blue teams should be ready to fight against while little is known on the employed entry\r\nvector(s).\r\nThis conjecture relies not only on the high level of developing skills required to build such peculiar ransomware\r\npayloads and dedicated leak sites but also more resilient and secure architecture; the number of high-profile\r\nvictims is already growing at a fast pace and could keep switching between big and mid game hunting in the\r\ncoming months/years. Moreover, though not yet proven, ALPHV intends to embrace a triple extortion scheme\r\nby launching DDoS towards victims’ assets if the ransom is not paid.\r\nAs far as the threat genealogy is concerned, Darkweb forum analysis allows us to conjecture that at least one\r\nactor (affiliate and/or operator and/or web developer) with recent or past ties to Darkside/BlackMatter/REvil\r\ndecided to jump into a new RaaS program referred to as ALPHV. In addition, we found that another actor could\r\nhave been somewhat involved in the LockBit and/or the ALPHV RaaS program. After pivoting from its avatar,\r\nwe found with medium high confidence that the ransomware brand was inspired by a cult Russian movie where\r\nthe Black Cat gang leaves a cat drawing or an actual cat at the scene of the crime.\r\nLast but not least, we found a running tool being leveraged by affiliates of ALPHV to download and run payloads\r\nupon an attack, from a remote server, which possesses strong code overlap with the LockBit’s running tool.\r\nAt the end of the document, we provide actionable intelligence to strengthen relevant layers of defences\r\nseeking to reduce or pre-empt the impact of this emerging threat.\r\nTable of contents\r\nIntrusion Set\r\nDescription/Chronology\r\nAliases\r\nPrimary motivation\r\nGoals\r\nTargets (identify, location or vulnerability)\r\nAttribution/Genealogy\r\nAnalysis\r\nFrontend and backend analysis of DLS\r\nAnalysis of the ransomware-as-a-service program\r\nCommonalities between LockBit2.0 and ALPHV\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 1 of 25\n\nTTPs\r\nMalware(s)/Tool(s)\r\nVulnerabilities\r\nCourse of action\r\nReferences\r\nAppendix\r\nMalware information\r\nThreat actor\r\nFAQ dedicated to its affiliates (published on the public DLS of ALPHV)\r\nDomain analysis of the ALPHV’s infrastructure\r\nIntrusion Set\r\nDescription/Chronology\r\nTo the best of our knowledge, the first attack that deployed ALPHV RaaS was reported by Symantec. Three\r\nvariants in total hit hundreds of machines on November 18, 2021 while the first suspicious network activity had\r\nbeen observed on November 3.\r\nAliases\r\nThe group is referred to as ALPHV and is also known as BlackCat (because of a black cat icon set by the group\r\nin the first version of their dedicated leak site) or Noberus (by Symantec).\r\nPrimary motivation\r\nFinancial gains\r\nGoals\r\nALPHV aims at stealing confidential information, encrypting files and then demanding a ransom that needs to be\r\npaid, otherwise threat actors publish the collected information or sell it to interested third parties. \r\nTargets (identity, location or vulnerability)\r\nThe array below presents known victims hit by ALPHV ransomware; please note that it is usually an\r\nunderestimated list. Upon our analysis we already found some probable victims that remained under the scope of\r\nthe cybersecurity community so far. From the limited amount of data available one can highlight that, as it is\r\ncommonly observed, the most targeted countries are primarily American and then European. Another common\r\ntrait also emerging here is the almost indiscriminate type of sector being targeted.\r\nVictim Country Sector Date\r\nContent available in a\r\nPrivate release\r\nRomania Heavy industries\r\n23 January\r\n2022\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 2 of 25\n\nContent available in a\r\nPrivate release\r\nUK Financial organizations\r\n18 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nItaly Retail\r\n17 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nConstruction\r\n17 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nFinancial organizations\r\n16 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nChina Heavy industries\r\n16 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nHeavy industries\r\n16 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nBahamas Local administrations\r\n07 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nFood and drinks\r\nbusinesses\r\n01 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nNetherlands Insurance services\r\n01 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nGermany Technologies\r\n01 January\r\n2022\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nInformation technologies\r\nconsulting\r\n31 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nFinancial organizations\r\n29 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nInformation technologies\r\nconsulting\r\n29 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nAustralia Manufacturing\r\n29 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nTechnologies\r\n29 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nCanada Energy\r\n29 December\r\n2021\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 3 of 25\n\nContent available in a\r\nPrivate release\r\nFrance Transportation Services\r\n27 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nPuerto Rico\r\nFood and drinks\r\nbusinesses\r\n24 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nSpain\r\nPharmacy and drugs\r\nmanufacturing\r\n25 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nTechnologies\r\n22 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nFrance\r\nInformation technologies\r\nconsulting\r\n19 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nGermany Transportation Services\r\n19 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nUnknown Unknown\r\n17 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nPhilippines Retail\r\n14 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nMining\r\n10 December\r\n2021\r\nContent available in a\r\nPrivate release\r\nUnited States of\r\nAmerica\r\nEngineering consulting\r\n08 December\r\n2021\r\nAttribution/Genealogy\r\nAttribution of the intrusion set is at first glance contradictory, as on one hand, according to Recorded Future\r\nexperts the operator of ALPHV had been previously a member of the well-known ransomware group REvil;\r\nwhile on the other hand, according to the official LockBit Support account on the Russian Cybercrime forum\r\nXSS, the ALPHV is a rebranding of Darkside / BlackMatter ransomware brands (see Figure 1).\r\nFigure 1 : Screenshot of a post by the official LockBit Support, 2nd most impactful ransomware\r\ngang claiming that ALPHV operator was a former member of Darkside / BlackMatter, ransomware\r\nbrands.\r\nALPHV operator was also seen replying to a troll feed on XSS forum targeting LockBit (see Figure 2), which\r\ncould indicate that they are competitors. ALPHV owns a business-oriented premium account that costs about one\r\nhundred dollars per year, which shows the intention of the latter to weight into the RaaS landscape.\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 4 of 25\n\nFigure 2 : On the left, a screenshot taken on December 28, 2021 from a random channel of the\r\nRussian cybercrime Forum XSS. ALPHV operator replied to the trolling post of another user named\r\nKelegen (on the right) claiming that the LockBit Dedicated Leak Site was pwned. The premium\r\naccount ‘ALPHV’ was created on December 9, 2021 and has posted so far only this short message.\r\nAn analysis from Korean Threat Intelligence S2W Lab company pinpointed that like other RaaS ransomgangs,\r\na config file is leveraged as an input to endow the ransomware with custom features tailored for the victims (see\r\nAnalysis for details). Of note is the strong overlap with the config file previously used by BlackMatter. From the\r\ntimeline provided by S2W though, they conclude that it would have been too soon for ALPHV to rebrand from\r\nBlackMatter while rewriting from scratch a DLS (Dedicated Leak Site)and a RUST-based ransomware. This\r\ncould substantiate at the first glance an attribution to the REvil ransom cartel whom first shutdown occurred in\r\nJuly 2021 and then was hacked and forced offline after a comeback since the end of October this year but there is\r\ntoo little material at the time of writing to conclude.\r\nAs far as BlackMatter is concerned however, technical evidences such as the encryption routine study and code\r\nsimilarities show that BlackMatter signed the come-back of Darkside core teams. This revival took place at the\r\nmoment of Darkside’s disappearance following its infamous Colonial Pipeline major attack. We shall then recall\r\nthe genesis of Darkside, which was born in August 2020 when pentesters first rent REvil RaaS (operated by\r\nPinchy Spider) until Carbon Spider operated its own variant based on the code of REvil that became Darkside.\r\nTo conclude on that first part, we thus underline past ties between Revil and Darkside as well as more recently\r\nbetween Darkside and BlackMatter.\r\nAs far as the ransomware code is concerned we shall underline that BlackMatter is a mashup between LockBit,\r\nDarkside, and REvil.\r\nA possible scenario would be that at least one actor (affiliate and/or operator and/or web developer) with recent or\r\npast ties to Darkside/BlackMatter/REvil decided to jump into a new RaaS program referred to as ALPHV, but\r\nthis assumption remains speculative at this stage.\r\nFrom another interesting conversation on the RAMP forum about the withdrawal of BlackMatter and\r\nassumptions on their next move, an avatar named BlackCat46 also arouse our interest (see Figure 3). Indeed, it\r\nturns out that the latter participated in the past not only in a similar conversation on the Russian cybercrime XSS\r\nforum with the same account name, but also in other topics involving the LockBitSupp account.\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 5 of 25\n\nFigure 3 Screenshot taken from Russian cybercrime XSS forum, displaying that LockBit claims to\r\nknow the operator of ALPHV, a former member of the infamous REvil group, and that BlackCat46\r\nliked this assumption. Its avatar on XSS and Exploit, both major Russian-speaking cybercrime\r\nforums, represent a picture of the famous Russian revolutionary LENIN taken in Gorki where he\r\nspent the last year of his life.\r\nThis could show that the latter has a particular interest in BlackMatter and a kind of ‘friendship’ with the\r\nLockBit operator; at the very least, a cross-analysis of its avatar content shows a particular tropism for RaaS\r\nprograms.\r\nIn addition to that, the most recent avatar on RAMP of BlackCat46 is an angry cat, which obviously reminds the\r\nfree black cat icon that was chosen by ALPHV for private onion negotiation sites (also angry). By reverse image\r\nsearch analysis, we found its RAMP avatar on an entertainment website illustrating a 1979 cult film upon the\r\nFormer Soviet Union called ‘The Meeting Place Cannot Be Changed.’  The plot synopsis is not without\r\nremembering what could experience members of RaaS programs in which a gang of armed robbers calling itself\r\n“The Black Cat” keeps evading capture. Even more striking is the bleeding knife website icon used for the crime\r\ninvestigation category that turns out to be the very same used on the public DLS of ALPHV (see Figure 4). We\r\nretrieved the link between those two observed website icons by ALPHV on their Private and Public DLS.\r\nFigure 4 : On the left, the profile of BlackCat46 on RAMP forum. On the right, an illustration\r\nobtained by reverse image analysis of the BlackCat46 avatar on RAMP forum linked to a cult\r\nRussian movie where the Black Cat gang leaves a cat drawing or an actual cat at the scene of the\r\ncrime. The knife icon of the website used for the crime investigation category matches the one used\r\nby ALPHV on their Public DLS.\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 6 of 25\n\nBased on topics and conversations in which BlackCat46 is involved, we think that his profile could fit the one of\r\nan affiliate being involved in RaaS program with pentesting skills. More interesting is that the latter requested\r\nhelp to protect against DDOS attacks on the aforementioned Russian cybercrime forum known as ‘Exploit’ (with\r\nthe same Lenin avatar picture and account name BlackCat46 than was observed on XSS). This recalls the fact that\r\nALPHV named and shamed LockBit, which recently suffered DDOS attacks right after the latter defrayed the\r\nchronicle by leaking very sensitive data of Accenture on their centralized DLS reachable by a unique onion\r\ndomain. It is assumed that the hack back was triggered by victims’ third parties assisting with incident response\r\nand/or US agencies according to LockBit operator. As a result, one could conjecture that BlackCat46 could have\r\nbeen somewhat involved into the LockBit RaaS program and/or the ALPHV one to avoid being hacked back by\r\nDDoS attacks.\r\nAnalysis\r\nFrontend and backend analysis of DLS\r\nS2W Lab also showed that the frontend developing was carried out in three stages. First, a Private Leak Site was\r\nused (now down) that became a unique Public Dedicated Leak Site (DLS) while negotiation site are unique per\r\nvictim. For this, a UUID is generated via the command:\r\ncmd /c wmic csproduct get UUID\r\nThis command is used to generate an access key being required to reach the correct URL following this scheme:\r\nhxxp://Av3TorUniqueHiddenWebAddress[.]onion/?access-key=${ACCESS_KEY}”\r\nAs far as the Public Leak Site of ALPHV is concerned, its technology relies for the frontend on Angular, which\r\nenhances users experience with single page applications. This extensively used open source framework is coupled\r\nto zone.js to reduce UI refreshing when change detection occurs.\r\nFrom our experience, this web technology is not often encountered and translates good skills in terms of web\r\ndeveloping. The web developer could be a dedicated person and not necessarily the operator maintaining in\r\noperational conditions the infrastructure. As a result, an automated survey of their Public Dedicated Leak Site\r\n(DLS) by CTI teams is more difficult. Fortunately we found a workaround to provide information on victims that\r\ncan be ingested in an automated way:        \r\nContent available in the Private release\r\nConcerning the backend, this group claims to have learned from other ransom-cartels’ mistakes such as Conti,\r\nwhich recently saw their servers uncovered by the Prodaft Threat Intel team. Also peculiar is the generation of a\r\nunique onion domain per each new company hit by ALPHV ransomware. This change of modus operandi was\r\nmost likely driven by the intention to reduce the impact of the aforementioned DDOS attack.\r\nALPHV offer an intricate affiliate program (see appendix) with self-deletion scripts, a built-in Bitcoin mixer\r\nintegrated, which does not communicate with the ALPHV infrastructure backend. The latter is fragmented into\r\nnodes that are interconnected through a whole network of pads within the onion network being behind a Network\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 7 of 25\n\nAddress Translation (NAT) so genuine IP addresses are not directly accessible from the internet and are protected\r\nby a firewall.\r\nAnalysis of the Ransomware-as-a-service program\r\nSince early December 2021, the operator of ALPHV has been promoting its RaaS program on the underground\r\nRussian forums RAMP (see an English translation in appendix) inviting other criminals to join ransomware\r\nattacks against large companies. The operator mentioned later that only Russian speaking affiliate could join the\r\nprogram either by payment or by skill. It is worth mentioning though that overall, more and more Chinese\r\ntranslations are found on underground forums in a sort of an objective alliance between countries of\r\nCommonwealth of Independent States and China black hats against western countries. The operator claims that\r\nthe malware can encrypt data on systems running Windows, Linux and VMware ESXi, and partners will receive\r\n80% to 90% of the final ransom, depending on the total amount received from the victims.\r\nFigure 5 : ALPHV operator named RANSOM joined the RAMP forum the 8th December, 2021 and\r\ndepicted the day after its RaaS affiliate program. RAMP is a Russian-speaking underground forum\r\nthat was launched in July 2021. The operator of RAMP was linked to the operator of Babuk and\r\nPayload.bin. N.B: we translated this page into English.\r\nALPHV operators were also seen on another underground Russian forum known as Exploit (see Figure 6) where\r\nthey were actively recruiting pentesters specialized in Windows/Linux and ESXi. In the same post, they shared\r\ntwo TOX addresses and a jabber address to discuss in a secure environment.\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 8 of 25\n\nFigure 6 : Screenshot taken from the Exploit underground forum showing the active recruiting\r\nprocess engaged by ALPHV to collaborate with pentesters specialized in Windows/Linux and ESXi.\r\nThey shared two TOX addresses and a Jabber to discuss in a secure environment.\r\nFocusing now on the ransomware anatomy, the latter encrypts selected files throughout a whitelist and adds\r\ncustom extensions to infected files (7 length extension such as .sykffle was so far witnessed in the wild for this\r\nprogram and most of the time chosen randomly). A peculiar trait of this ransomware upon deployment is its ability\r\nthroughout command-line to apply numerous options (reachable via –help). Available features are presented for\r\nWindows and Linux systems respectively in Figure 7 and Figure 8.\r\nFigure 7 : Features provided by a representative sample of an ALPHV ransomware sample\r\ntargeting Windows systems.\r\nFigure 8 : Features provided by a representative sample of an ALPHV ransomware sample\r\ntargeting Linux systems\r\nEvery sample can be customized via an embedded JSON configuration file as shown by Bleeping computer that\r\nenables common features such as creating a unique access token is a previously seen anti-analysis tactic used by\r\nsimilar threats such as for the victim to keep negotiations for private, changing extensions, ransom notes, data\r\nencryption, exclusions of folders/files/extensions, and the services and processes to be automatically killed to\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 9 of 25\n\ncrank up the impact. Supplying an access token as a parameter is previously seen anti-analysis tactic such as\r\nthreats like Egregor.\r\nFigure 9 : Screenshot of a representative sample of the config file extracted from a Windows ALPHV\r\nransomware strain. Admin credentials and the victim’s name could be stored and could leak upon\r\nnegotiations to the public even before being exposed on ALPHV’s DLS if a payload is pushed\r\ntowards a third-party platform. Several features that can be enabled or disabled make this\r\nransomware very versatile and impactful, in particular the capability of ESXi VM and Snapshot kill.\r\nWe could extract and analyse several outputs of both Linux and Windows samples and confirm the conclusions of\r\nS2W (see Figure 9). Of important note is that every successful attack stores Admin credentials and the victim’s\r\nname into specific fields of the config file that could become public once payloads are submitted to third-party\r\nplatforms such as Virustotal (please see an obfuscated example displayed via an open-source script).\r\nEvery compiled sample analysed so far would have been compiled via the emerging Rust language, instead of a\r\nmore commonly encountered C/C++ language. Rust is a multi-paradigm programming language, developed by\r\nMozilla in 2010. As a matter of fact, it is the third impactful malware written in Rust language, and the first of a\r\nkind as a Ransomware-as-a-service. Such a peculiar choice was probably made not only because Rust is a\r\ncross-platform language (Windows, Linux, OSX) but also to better evade existing detection capabilities and\r\nreverse engineering methods. Moreover, when compared with C/C++ programming language, as Rust applies\r\nstricter rules, the latter could be considered more secure by default in the eyes of a programmer. Alternatively the\r\nGoLang programming language keeps growing fast and is also an open-source project with cross-platform\r\ncapabilities. The latter was already used for instance by HIVE or NEPHILIM RaaS programs to take advantage of\r\nthe language’s concurrency features to encrypt files faster. However, its ties with Google might restrain some\r\noperators of ransomwares, as Google’s projects in overall do not fit the political vision they want to display to the\r\npublic.\r\nThere are four types of encryption options as described by BleepingComputer (i.e., Full, Fast, DotPattern and\r\nAuto). All samples of ALPHV use a combination of AES128-CTR and RSA-2048 encryption to secure their\r\nmalware against the researchers getting encrypted files back. Amongst the several modes that AES operates with,\r\nmostly used is CBC (Cipher Block Chaining) while CTR (CounTeR) was witnessed in the past by a few threats\r\nsuch as LockerGoga, Nefilim and REvil. In the case where (Advanced Encryption Standard) AES is not\r\nsupported by the OS and if auto mode option is enabled, ChaCha20 encryption is applied instead. So far, no\r\nweaknesses were found and over all, such new RaaS program is considered by the cybersecurity to be very\r\nsophisticated. ALPHV also mentions that in contrast to what happened to Revil after the massive Kaseya attack, a\r\nleak of a universal decryptor is not possible.\r\nDiving into reverse engineering code analysis of ALPHV ransomware targeting Windows systems, we discuss\r\nkey functions leveraged by the ransomware and any commonalities found with past known techniques:\r\nEnumServicesStatusExW: is usually used by ransomwares for enumerating all the active services with the\r\naim to delete services matching a list (present in the config file of ALPHV). The call of such function was\r\nfor instance already seen in the wild in the Darkside, BlackMatter, Revil and Netwalker\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 10 of 25\n\nNetServerEnum: is used to list all servers of the specified type that are visible in a domain. The latterwas\r\nwas seen previously also being leveraged by RegretLocker, Wannacry, NotPetya and Trickbot (operated\r\nby Wizard Spider) as a worm-like malware propagation module to spread over Server Message Block\r\n(SMB)\r\nNetShareEnum: playing the role of discovering network shares to enumerate DNS hostnames on the\r\nnetwork, was encountered within numerous ransomwares such as Ranzy locker, Netwalker, Cuba,\r\nLockBit, Blackmatter and Conti (operated by Wizard Spider)\r\nEnumdependentServicesW was found to be shared with Avaddon, LockerGoga to retrieve the name and\r\nstatus of each service that depends on specified services\r\nARP scanner via the command “arp -a” [T1016]: scans the targeted device’s Address Resolution Protocol\r\n(ARP) table which stores information about IP addresses and the corresponding MAC address. The\r\ndiscovery of new networks allows then to fully scan for SMB volumes that can be mounted and eventually\r\nencrypted to crank up the impact. Such ARP scanner was previously seen embedded within strains of\r\nDarkside, LockBit, Ranzy locker, Avaddon, DopplePaymer. We can also underline variants of Ryuk and\r\nConti that exhibited more sophisticated behaviours by taking advantage of arp. The former reads ARP\r\ntables and wake systems up by sending Wake-on-LAN commands (then use RPC to copy itself to identified\r\nnetwork shares) while the latter retrieves the ARP cache to focus only on network shares to which the\r\nvictims normally connects to. To be noted beyond Ryuk’ wake-on-LAN peculiar feature is that other RaaS\r\nprograms borrowed that capability such as LockBit or Thanos.\r\nFigure 10 Command line tool called arp (available on Linux, MacOS and Windows) was found in\r\nthe source code of ALPHV ransomware to be used as an ARP scanner feature. The scanner allows\r\nto look for details about the network configuration [T1016].\r\nWe are discussing the approach to gather indicators of compromise (IOCs) and define the infrastructure and\r\nTTPs leveraged by affiliates of the ALPHV RaaS program and its operator.\r\nBesides, from TLP WHITE indicators of compromise shared by the platform Malware Bazaar (5 samples were\r\navailable) we could pivot on VT intel to harvest other reported and related IOCs (see the Recommendation\r\nsection for technical details). By pivoting on one of the ELF Linux variant samples, a lower sized file named\r\nsetup.exe (see details in VT here) that contrasted with the other ransomware payloads has drawn our attention. As\r\nno GUID identifier has been found in this file we sought to pivot around artefacts (unique strings into content\r\nfile). As such, we could find two other similar files reported into VirusTotal (see Figure 11).         \r\nFigure 11 Screenshot of VirusTotal Intelligence platform after pivoting on a unique string found into\r\nPortable Executable content. The size of the files are very close while the second one turns out to be\r\nlinked to another infamous Ransomware group dubbed LockBit.\r\nThose files are .Net modules and not with a PE more standard format file. We analysed more thoroughly the file\r\nby reverse engineering the latter via the open-source tool dnSpy. We first want to point out that no obfuscation is\r\nat play, thus all code can be directly rationalized. Four main functions stood out as shown in Figure 12 after\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 11 of 25\n\nreversing the runner used by ALPHV’ affiliates. It is interesting to note that download and upload functions point\r\nto the IP address:\r\n141.136.44[.]54\r\nThe latter resolves the host from which was also present the runner setup.exe, meaning that ransomware payloads\r\nwere hosted at the same place. We found out, about the same time, that @malwrhunterteam substantiated this\r\nresult in one of their tweet. Once the runner is launched with an access-token set as an input, a messagebox like\r\nthe one shown in Figure 9 pops up and asks the user whether or not “REALLY RUN LOCKER????”. If the user\r\nchooses “YES”, an ALPHV ransomware payload will be downloaded from the remote host- and executed locally.\r\nFigure 12 Screenshot of the runner setup.exe found to be tight to the ALPHV threat arsenal. Four\r\nmain functions are at play (DownloadAndRun, FullInfo, Start, UploaddDedInfo and UploadFiles).\r\nBoth the runner and the payloads are hosted at hxxp://141.136.44[.]54/files/.\r\nCommonalities between LockBit2.0 and ALPHV\r\nAfter investigations via VT Intelligence we found that the second hash shown in Figure 11 was detected by some\r\nantivirus as LockBit ransomware. We thus decided to pursue the research in that direction and pivot around that\r\nIOC. After having unravelled the infrastructure behind that IOC, one can observe in Figure 13 that i the\r\noccurrence LockBit is often used in namings ii the runner.exe (setup.exe) possesses numerous variants, iii URLs\r\nfollow the same pattern observed for ALPHV (i.e., http://ip_address/files/toolname.exe) and iv the payload name\r\n4mmc.exe was also used by ALPHV (see here an example).\r\nWe checked that the payloads do indeed correspond to LockBit weaponized strains. Moreover we found that the\r\nhash value of the tool referred to as screensaver.exe was reported by The DFIR report back in June 2020 upon an\r\nattack by LockBit ransomware in which an executable that allows to lock out access to the desktop was dropped\r\nbut was not used.\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 12 of 25\n\nFigure 13 : Screenshot taken from Virustotal Intelligence platform after having pivoted around the\r\nsecond hash highlighted in Figure 11 (see blue colour). One can observe several IOCs that belong\r\nto the infamous LockBit ransomware as well as some of its toolset, namely a screensaver locker, and\r\na runner for downloading payloads for encryption that is similar to the one that ALPHV used\r\nAs we found no direct link of this infrastructure with recent attacks perpetrated by LockBit affiliates, the latter\r\ncould also have been used as a test infrastructure by ALPHV. This is substantiated by the filename\r\nLockBit_gay.exe (see Figure 13) submitted the VT on 2021-11-08, which could indicate that an imposter\r\nessentially rebranded the tool used by LockBit’ affiliates and used it for ALPHV’s campaigns. The word ‘gay’ is\r\nnot without recalling the recent flooded Babuk’s new ransomware forum (RAMP), crippled by a comment\r\nspammer with gay orgy porn GIFs. Not only the filenames (setup.exe), their size (in a range of 15-15.5 KB) but\r\nalso the source code is obviously strongly overlapping as demonstrated in Figure 14. The main change arises from\r\nthe adaptation of the code with the aim to include the anti-analysis tactic required for running a payload of\r\nALPHV (i.e., the aforementioned unique accesstoken). \r\nFigure 14 Source Code Differencing via Git Diff. Reverse engineering analysis shows that the\r\nsource code of the LockBit’s arsenal (in red) and the ALPHV’s arsenal (in green) are strongly\r\noverlapping. The main change arises from the adaptation of the code to include the unique\r\naccesstoken per victim required for running a payload of ALPHV.\r\nIt is hard to conclude at this stage to conclude whether or not ALPHV is a ‘new’ group or not. However, it\r\nsuggests that ALPHV at the very least borrowed a part of the LockBit’s toolset, which requires non-public\r\nknowledge. Such knowledge of leveraging a runner for downloading and running ransomwares from remote\r\nservers could have been likely shared by affiliates that participle sometimes to several ransomware-as-a-service\r\nprogram. It could also be a subgroup of LockBit that split because of internal frictions or a rebrand triggered by\r\nthe core-group of LockBit to take their ransomware to the next generation and escape sanctions.\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 13 of 25\n\nTTPs\r\n [Intrusion Set](THREAT ACTOR operating ALPHV and its affiliates’ modus operandi)\r\nHere is a JSON file format compatible with the MITRE ATT\u0026CK Navigator of shared TTPs of both\r\nrepresentative payloads targeting Linux / Windows systems as well as the operator and affiliates modus operandi\r\nreported so far. It is interesting to note that by pivoting on their public DLS we found a section dedicated to\r\nALPHV affiliates that provides a procedure on how to leverage the ransomware payloads on different operating\r\nsystems upon an attack (see appendix).\r\nTactic Technique Procedure\r\nExecution\r\n[TA0002]\r\nSystem Services: \r\nService\r\nExecution[T1569.002]\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\n[T1053.003]\r\nWindows Management\r\nInstrumentation [T1047]\r\nShared Modules [T1129]\r\nIn some cases ransomware was deployed via\r\nScreenConnect but also via PSEXEC (being\r\nembedded in the ransomware code after a\r\ncompression via zlib). ALPHV uses significantly\r\nthe remote administration tool PsExec [T1035], as\r\nwell as the PowerShell language [T1086]\r\nALPHV can use the Windows command line to :\r\n• Delete volume shadow copies and disable\r\nrecovery\r\n• Modify window registry\r\nThe adversary uses WMI to execute various\r\nbehaviours, such as gathering information for\r\nDiscovery\r\nFsutil was executed to modify the SymLink\r\nEvaluation behaviour to change the type of\r\nsymbolic links that can be created on the system.\r\nSymbolic links create a file in a directory that acts\r\nas a shortcut to another file or folder\r\nCredential\r\naccess\r\n[TA0006]\r\nAdversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB\r\nRelay [T1557.001]\r\nOS Credential\r\nDumping: LSA Secrets  \r\n[T1003.004]\r\nSymantec has reported suspicious Server Message\r\nBlock (SMB) requests occurred onto the patient\r\nzero  \r\nSymantec has reported attempts of remote Local\r\nSecurity Authority (LSA) registry dump from a\r\nremote machine on the network upon an attack\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 14 of 25\n\nCollection\r\n[TA0009]\r\nAdversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB\r\nRelay [T1557.001]\r\nThreat actors may have leveraged LLMNR/NBT-NS Poisoning and SMB Relay sub-technique\r\nDefense\r\nEvasion\r\n[TA0005]  \r\nImpair Defenses: Disable\r\nor Modify Tools\r\n[T1562.001]\r\nSigned Binary Proxy\r\nExecution: CMSTP\r\n[T1218.003]\r\nModify Registry [T1112]\r\nAccording to Symantec the attackers disabled a\r\nrestricted remote administration feature known as\r\n‘RestrictedAdmin mode’ but also Windows\r\ndefender  \r\nWell-known technique to circumvent Windows’\r\nUser Account Control (UAC) (see details in\r\nappendix)\r\nModification of the registry occurred upon an\r\nattack. According to Symantec attackers were also\r\nseen to tweak the maximum limit of concurrent\r\nrequests machines by modifying the Windows\r\nregistry to further help spreading via PsExec.\r\nPlease note that we found that this is actually a\r\ncapacity of the ransomware itself and not a human-operated command (see Appendix)  \r\nDiscovery\r\n[TA0007]  \r\nSystem Information\r\nDiscovery [T1082]\r\nSystem Network\r\nConnections Discovery\r\n[T1049]\r\nIngress Tool Transfer\r\n[T1105]\r\nALPHV runs commands to collect system\r\ninformation via WMIC, in order to collect\r\nUniversally Unique Identifiers (UUIDs) from each\r\nmachine. These are then used to generate the\r\n‘access token’ that makes up part of the unique Tor\r\naddress victims are instructed to visit\r\nALPHV attempts to propagate via mounting\r\nhidden partitions thanks to the ‘net use’ command.\r\nAs aforementioned admin credentials are\r\nembedded into the config file within the payload\r\nALPHV affiliates bring their own\r\nexternal tools into a compromised network\r\nExfiltration\r\n[TA0010]\r\nExfiltration Over Web\r\nService [T1567]\r\nDouble extortion: exposure of sensitive data on a\r\nDLS. ALPHV leaks victim data not only if the\r\nvictims do not pay, but also once Threat Intel\r\nteams accesses their chat logs or discusses their\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 15 of 25\n\noperations. This posture recalls recent threats\r\nproclaimed by several RaaS groups as chat logs\r\nwere leaked and exposed by CTI teams and\r\nrenowned cybersec journalists that weakened the\r\nleverage of the malicious negotiators\r\nImpact\r\n[TA0040]\r\nInhibit System Recovery\r\n[T1490]\r\nData Destruction\r\n[T1485]\r\nService Stop  [T1489]\r\nData Encrypted for\r\nImpact [T1486]\r\nNetwork Denial of\r\nService [T1498]\r\nAccording to @malwrhunterteam this could be the\r\nfirst ransomware that does VM snapshots\r\ncleaning.  The latter deletes also shadow copies\r\nand the Recycle Bin\r\nAccording to @vxunderground the latter deletes\r\ndecryption keys\r\nAs previously seen ALPHV payloads have the\r\ncapability to stop services and kill processes to\r\nincrease the impact (with the help of\r\nthe EnumServicesStatusExW function to\r\nenumerate all the active services and deletes\r\nservices if the service name matches the list\r\npresent in the config file)\r\nSimple extortion: encryption of sensitive data\r\nTriple extortion: As an additional extortion\r\nmethod, the threat actors threaten to DDoS victims\r\nunless they pay a ransom\r\nMalware(s)/Tool(s)\r\nConnectWise (formerly known as ScreenConnect), that is a legitimate remote administration tool was\r\nleveraged. This tool was already seen abused in the past by other ransomcartels such as Revil upon the\r\nrecent massive attack against Kaseya and APTs since 2016\r\nAnother legitimate tool Keystore explorer that can be used to create and navigate KeyStores via its\r\nintuitive graphical interface was reported. Though it is not yet clear if there is any link with ALPHV at this\r\nstage (see here), one could conjecture that this tool was leveraged to generate unique key pairs for each\r\nvictim but should be considered as a false positive.\r\n7zip and Rclone were reported by SpearTip as the toolset use for exfiltration of data\r\nVulnerabilities\r\nNo known vulnerabilities are yet reported to be leveraged by the affiliates of this RaaS program to the\r\nbest of our knowledge. We should mention though that SentinelOne telemetry indicated “a primary\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 16 of 25\n\ndelivery of BlackCat is via 3rd party framework/toolset (e.g., Cobalt Strike) or via exposed (and\r\nvulnerable) applications”\r\nWe should mention that other entry vector remain extensively used RDP brute force attacks or unsecure\r\nRDP/VPN connections. It is also likely that this advanced threat actor, if not already, could rapidly\r\nleverage an Initial Access Broker to provide to its affiliates a foothold on a victim’ network. Keep in mind\r\nthat such Initial Access Brokers (IABs) could also leverage the last vulnerability that defrayed the\r\nchronicle being LOG4SHELL\r\nCourse of action\r\nAvoid IABs or affiliates to breach into your network\r\nFocus efforts on patching/monitoring the most impactful flaws reported in information bulletins produced\r\nby Intrinsec CTI Team about last TTPs of such ecosystem (PrintNightmare, Proxy|logon|Shell|Oracle,\r\nPetitPotam, LogShell, VMWare)\r\nEnable hardware MFA keys whenever possible on critical assets requiring the most protection\r\nIdentify then document an organization’s people, information and in particular exposed assets such as\r\nVPN, RDP, web servers, etc… (N.B., the latter shall always be up to date)\r\nTrain your teams to phishing \u0026 social-engineering methods\r\nUse a WAF to filter and monitor incoming web traffic (N.B., the latter shall always be up to date) for web\r\nservers and apps\r\nReinforce the security monitoring of Windows workstations, with an EDR (or failing that, Sysmon), and a\r\nreinforced audit policy\r\nConduct vulnerability scans regularly on exposed servers to confirm whether or not it is vulnerable against\r\nknown attack schemes\r\nReinforce perimeter filtering (email/browsing) with sandboxing for all attachments and downloaded files,\r\nplus SSL inspection\r\nMaintain and regularly assess a disaster recovery plan, including global backup capabilities (onsite and\r\noffsite)\r\nReinforce authentication with strong authentication means wherever possible, password strength policy\r\nplus audit in place, and log forwarding to the SIEM\r\nDo not forget BYOD security management: security policies deployment and enforcement, compliancy,\r\ninventory, network access control\r\nCobalt Strike, being maybe the most prolific post-exploitation framework tool both leveraged not only by\r\nred teamers and top-tier RaaS affiliates but also by several APTs, it is worth putting efforts to become\r\ncapable of detecting its capabilities\r\nDetect ALPHV affiliates before your data gets exfiltrated and then encrypted\r\nCraft fake documents (financial, cyber insurance, employee data falling under GDPR) that will beacons\r\nback alerting blue teams only with very high rates of true positives thanks to Canarytokens. As such,\r\nIncident Response teams would be more efficient in preempting/expelling threats by being involved at\r\nearly stages of an attack\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 17 of 25\n\nMonitor IOCs \u0026 commands that we capitalized, vetted and made available on our GitHub. Please note that\r\nif you are an Intrinsec SOC (Security Operation Center) customer, the IOCs related to this campaign are\r\nbeing integrated into our MISP\r\nBlock globally network \u0026 system IOCs\r\nDetect ALPHV affiliates before your data gets encrypted while being exfiltrated\r\nEnsure blue teams can carry out threat detection of RClone (leveraged by ALPHV for data exfiltration)\r\nwith relevant Sigma rules such as here and here\r\nDetect ALPHV affiliates while encrypting data to reduce the impact\r\nIt is worth mentioning here that an open-source tool has been recently developed by the CTO of Nextron\r\nFlorian Roth for deception purposes (available on GitHub). Named “Raccine”, this tool can detect and stop\r\nany Windows process trying to delete the shadow volumes on a system that can be triggered by ALPHV\r\npayloads or by other similar type of threats.\r\nReferences:\r\nhttps://www.bleepingcomputer.com/news/security/ALPHV-blackcat-this-years-most-sophisticated-ransomware/\r\nhttps://github.com/cdong1012/Rust-Ransomware\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ALPHV-rust-ransomware\r\nhttps://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\r\nhttps://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html\r\nAppendix\r\nMalware information\r\n[TTPs of a WINDOWS’ payload]\r\nA JSON file format compatible with the MITRE ATT\u0026CK Navigator highlights shared Tactics, Techniques and\r\nProcedures (TTPs) according to the MITRE ATT\u0026CK framework of a representative payload targeting\r\nWindows systems leveraged by ALPHV.\r\nAs far as registry key modification is concerned, a reverse engineering analysis showed that ALPHV ransomwares\r\ntargeting Windows embed the following command (see Figure 15):\r\nreg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters /v\r\nMaxMpxCt /d 65535 /t REG_DWORD /fenum_serv’\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 18 of 25\n\nFigure 15 : Screenshot highlighted the registry key adding in ransomware code aiming at exalting\r\nthe spreading via PsExec upon the attack.\r\nIn some of those payloads, a reverse engineering analysis unravelled attempts to bypass Windows User Account\r\nControl (UAC) to stealthy execute code with elevated permissions [T1218.003]. This technique is also known as\r\nthe COM Elevation Moniker that allows running applications under UAC to activate COM classes with elevated\r\nprivileges. More precisely, we found a globally unique identifier (CLSID) {3E5FC7F9-9A51-4367-9063-\r\nA120244FBEC7} (128-bit hexadecimalnumbers within a pair of curly braces can be retrieved in the registry path\r\n“WorkstationHKEY_LOCAL_MACHINESOFTWAREClassesAppID{3E5FC7F9-9A51-4367-9063-\r\nA120244FBEC7}”)  that could be associated with the Cmstplua.dll (aka Connection Manager Admin API Helper\r\nfor Setup). Such CLSID is usually leveraged for detecting bypass UAC via an auto-elevated COM interface.\r\nIn the same vein as was reported by Sophos in April 2020 in the case of LockBit 2.0 ransomware, ALPHV will\r\nensure to exalt damages by checking whether or not its process owns Administrator rights (via OpenProcessToken\r\nfunction). If not the latter masquerades as Windows Explorer (explorer.exe) by calling CoInitializeEx (initializing\r\nthe COM library).  Then, the hex value CLSID is added to the moniker and executed. We also found another\r\ntypical string referred to as “evation:Administrator!new:” that is similar to the expected value\r\n“Elevation:Administrator!new:” as indicated in the Microsoft documentation, which allows apps running under\r\nUAC to activate COM classes with elevated privileges (see Figure 16) :\r\nFigure 16 : UAC bypass via the COM Elevation Moniker.\r\nSuch UAC bypass capability was previously seen in the threat landscape embedded into ransomwares such as\r\nMedusaLocker, Avaddon, Revil, Darkside, BlackMatter. Note that strong TTP overlapping was reported between\r\nMedusaLocker and Avaddon but also Darkside and BlackMater as aforementioned.\r\n [TTPs of a LINUX’ payload]\r\nIn the same vein here is a JSON file format compatible with the MITRE ATT\u0026CK Navigator of the shared TTPs\r\nof a representative payload targeting Linux systems (VMWare ESXi).\r\nMalware Behaviour Catalog (MBC)\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 19 of 25\n\nMBCobjectives and behaviours of representative ALPHV Linux \u0026 Windows ransomware samples are available\r\nin our GitHub. MBC mappings was generated via the MANDIANT’s open-source tool capa.\r\nThreat actor\r\nRaaS program announcement (published on RAMP underground forum)\r\nINTRO\r\nWe are glad to welcome you to our affiliate program.\r\nWe have taken into account all the advantages and disadvantages of previous partner programs and are proud to\r\nbring you ALPHV – the next generation of ransomware.\r\nAll software is written from scratch, the decentralization of all web resources is architecturally laid down. A\r\nunique onion domain is generated for each new company. For each advertiser, an entrance is provided through its\r\nown unique onion domain (hello LockBit).\r\nOwn datacenter for hosting leak files over 100 TB.\r\nWe are already cooperating with top recovery companies that worked with darks, revils, etc.\r\nThere is a support on chats, which sits 24 by 7, but if you wish, you can negotiate yourself.\r\nSECURITY\r\nWe are in every possible way ready for existence in modern conditions, meeting all the requirements for the\r\nsecurity of infrastructure and advertisements. In the affiliate program all possible links with forums are\r\narchitecturally excluded (hello revil), algorithms for self-deletion of data upon expiration of the limitation period\r\nare laid down, a built-in mixer is integrated with a real break in the chain (not to be confused with Wasabi, BitMix\r\nand others), because you get completely clean coins from foreign exchanges. The wallets to which your coins were\r\nsent are unknown for our backend. The infrastructure is fragmented into the so-called. nodes that are\r\ninterconnected through a whole network of pads within the onion network and are located behind NAT + FW.\r\nEven when receiving a full-fledged cmdshell, the attacker will not be able to reveal the real IP address of the\r\nserver. (hi Conti)\r\nSOFTWARE\r\nThe software is written from scratch without using any templates or previously leaked source codes of other\r\nransomware. The choice is offered:\r\n4 encryption modes:\r\n-Full – full file encryption. The safest and slowest.\r\n-Fast – encryption of the first N megabytes. Not recommended for use, the most unsafe possible solution, but the\r\nfastest.\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 20 of 25\n\n-DotPattern – encryption of N megabytes through M step. If configured incorrectly, Fast can work worse both in\r\nspeed and in cryptographic strength.\r\n-Auto. Depending on the type and size of the file, the locker (both on windows and * nix / esxi) chooses the most\r\noptimal (in terms of speed / security) strategy for processing files.\r\n-SmartPattern – encryption of N megabytes in percentage steps. By default, it encrypts 10 megabytes every 10% of\r\nthe file starting from the header. The most optimal mode in the ratio of speed / cryptographic strength.\r\n2 encryption algorithms:\r\n-ChaCha20\r\n-AES\r\nIn auto mode, the software detects the presence of AES hardware support (exists in all modern processors) and\r\nuses it. If there is no AES support, the software encrypts files ChaCha20.\r\nCross-platform software, i.e. if you mount Windows disks in Linux or vice versa, the decryptor will be able to\r\ndecrypt the files.\r\nSupported OS:\r\n– All line of Windows from 7 and higher (tested by us on 7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022); XP and\r\n2003 can be encrypted over SMB.\r\n– ESXI (tested on 5.5, 6.5, 7.0.2u)\r\n– Debian (tested on 7, 8, 9);\r\n– Ubuntu (tested on 18.04, 20.04)\r\n– ReadyNAS, Synology\r\nSince recently binaries have been leaking to analysts, and premium VT allows you to download samples and\r\nreceive readme in chats, random people may appear who can disrupt negotiations (hello darkside), when\r\nlaunching the software it is MANDATORY to use the –access-token flag. The cmdline arguments are not passed to\r\nthe AVers, which will keep the privacy of the correspondence with the victim. For the same reason, each encrypted\r\ncomputer generates its own unique ID used to separate chats.\r\nThere is a function of automatic downloading of files from the MEGA service, you give a link to the files, they are\r\nautomatically downloaded to our servers.\r\nYou can get a full description of all functionality in the FAQ section.\r\nACCOUNT\r\nIf there is no activity for two weeks, your account will be frozen and subsequently deleted. To avoid this, we\r\nrecommend that you notify the administration about possible vacations, pauses and other things.\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 21 of 25\n\nThe rate is dynamic and depends on the amount of a single payment for each company, namely:\r\n– up to 1.5M $ – 80%\r\n– up to $ 3.0M – 85%\r\n– from $ 3.0M – 90%\r\nAfter reaching the $ 1.5M mark in terms of the sum of all payments on your account, you will have access to\r\nhosting services for files of companies’ leaks, dialing and DDoS’a absolutely free.\r\nFAQ dedicated to its affiliates (published on the public DLS of ALPHV)\r\nWed Nov 17 2021\r\nHow – To\r\nHow to start a locker on ESXi or * nix?\r\n1. Downloading the build via scp\r\n    scp sample_alfa_x86_64_linux_encrypt_app root@10.0.0.1:/tmp/\r\nWe go via ssh and give execution rights\r\n    cd /tmp/ \u0026\u0026 chmod +x sample_alfa_x86_64_linux_encrypt_app \r\nLaunch the locker ALWAYS with the token (obtained when creating the build) and in the background ( \u0026 )\r\n    /tmp/sample_alfa_x86_64_linux_encrypt_app –access-token\r\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026 \r\nTo display the speed and encryption process, override the functions specified when creating the build, you\r\ncan use the flags:\r\n-p, –paths \u003cPATHS\u003e – forced indication of paths\r\n-v, –verbose – output the log to the console\r\n–no-vm-kill – do not stop VM (use if VMs are manually stopped, otherwise VM files will not be encrypted)\r\n–no-vm-snapshot-kill – do not delete snapshots (use if snapshots were manually removed)\r\n–ui – launch with a graphical interface\r\nHow to run Windows locker on one PC?\r\n1. Load the build and run cmd / powershell from the administrator, go to the folder with the locker and start\r\nALWAYS with the token (obtained when creating the build)\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 22 of 25\n\n./sample_alfa_x86_64_linux_encrypt_app.exe –access-token\r\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \r\nTo display the speed and encryption process, override the functions specified when creating the build, you\r\ncan use the flags:\r\n-p, –paths \u003cPATHS\u003e – forced indication of paths\r\n-v, –verbose – output the log to the console\r\n–no-net – do not encrypt network shares\r\n–no-prop – do not use the worm’s functionality (self-propagation by getting a list of ip in the arp table and trying\r\nto psexec with accounts hammered in for impersonation)\r\n–ui – launch with a graphical interface\r\nHow to run Windows locker on one PC using drag and drop?\r\n1. Load the build and run cmd / powershell as administrator, go to the folder with the locker and start\r\nALWAYS with the token (obtained when creating the build) and the flag –drag-and-drop-target \r\n    ./sample_alfa_x86_64_linux_encrypt_app.exe –access-token\r\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX –drop-drag-and-drop-target\r\nA .bat file will appear in the folder with the locker, onto which you can drag files, folders, disks, etc.\r\nHow to run Windows locker in the whole domain?\r\n1. Load the build on the PDC and run cmd / powershell as administrator, go to the folder with the locker and\r\ncopy it to C: WINDOWS sysvol sysvol * yourdomain * scripts\r\ncopy sample_alfa_x86_64_linux_encrypt_app.exe C:WINDOWSsysvolsysvol*yourdomain*scriptslocker.exe \r\n* The locker.exe file must be accessible via \\ yourdomain netlogon locker.exe \r\nIn the group policy editor, change the Default Group Policy or create a new one and link to Default.\r\nChange Computer / User Configuration \u003e Preferences \u003e Control Panel Settings \u003e Scheduled Tasks\r\nWhen creating a new task on the General tab, fill in the name, description (optional), tick the Run with\r\nhighest privileges checkbox and select the user SYSTEM\r\nOn the Actions tab, click New and fill in the fields as follows:\r\nAction → Start a program \r\nProgram/script → cmd.exe  \r\nAdd arguments(optional) → /c \\yourdomainnetlogonlocker.exe –access-token\r\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 23 of 25\n\nStart in (optional) → leave blank\r\nWe accept all changes through apply / ok and close the group policy editor.\r\nOn the PDC, we execute the gpupdate / force command, after a while the network will begin to be\r\nencrypted.\r\nA complete list of functions is available via -h, –help\r\nDomain analysis of the ALPHV’s infrastructure\r\nWhen investigating first the status of the host (resolved by the IP address 141.136.44[.]54), the latter was found to\r\nbe up and located in Lithuania Vilnius. Besides, all common ports are securely filtered or closed but the 80 (http),\r\namongst which, a RDP port is available and very often used as the entry vector by brute forcing weak accounts.\r\nPassive HTTP server banners reveals that the attacker has set up an Apache server (with a current version installed\r\nbeing 2.4.29 though a 2.4.52 version was released the 2021-12-20) on an Ubuntu Linux distribution. The attackers\r\nhave added a module to compress the traffic as shown by a passive analysis of the banners (content-encoding:\r\ngzip), most likely to lure malware scanners and keep surmise while upload/download operations get faster.\r\nWe found two domains that resolved to that the given IP address:\r\nsupport-global-it-ss[.]com\r\nhosting-global-it-ss[.]com\r\nThe homepages indicates that those websites proposes IT support services, which seem to belong to the same\r\nstructure and could be legitimate. No direct link with the malicious activities emanating from the given IP could\r\nbe established.\r\nDo you want to know more about adversaries’ TTPs and emerging threats targeting your organization?\r\nOur CTI team has a solution dedicated to producing knowledge on cyber threats through two\r\ncomplementary offers :\r\nInformation reports : a continuous monitoring service of the main cyber threats (vulnerabilities and attack\r\ncampaigns)\r\nSector intelligence papers : produced on a weekly or monthly basis and informing you about the threats\r\ntargeting your industry (last attack campaigns, incident response sharing of experience and evolution of the\r\ncybercriminal ecosystem)\r\nIf you wish to know more about our solutions, please contact us at: contact@intrinsec.com\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 24 of 25\n\n[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]\r\nSource: https://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nhttps://www.intrinsec.com/alphv-ransomware-gang-analysis/\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.intrinsec.com/alphv-ransomware-gang-analysis/" ], "report_names": [ "alphv-ransomware-gang-analysis" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434726, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b4264f483705c0e46a03d2f0cfa8ba5f1cf426e.pdf", "text": "https://archive.orkl.eu/0b4264f483705c0e46a03d2f0cfa8ba5f1cf426e.txt", "img": "https://archive.orkl.eu/0b4264f483705c0e46a03d2f0cfa8ba5f1cf426e.jpg" } }